Passwords have been employed for centuries to enhance security, long before digital computers and information systems were invented. For example, previously-agreed passwords were used between messengers in Roman times for authentication purposes; passwords were used in battlefields for verifying that a given person approaching a guard post was a friend, and not a foe. Contemporary information society is heavily reliant upon use of passwords, for example for sign-in (i.e., signing-in) to computers, for sign-in to smart phones, for activating televisions, for accessing payment terminals, for inputting data into self-service library automats, and so forth. Moreover, passwords are also contemporarily used for verifying an authenticity of a user in many mutually different social services and social media services, in online banking, in operating systems, in e-mail servers and so forth.
In order to improve security in contemporary digital information systems, it is conventional practice to employ a plurality of different security methods, for example:
(i) Basic access authentication (Basic Auth., see reference [1]);
(ii) Digest access authentication (see reference [2]);
(iii) Kerberos protocol (see reference [3]);
(iv) NT LAN Manager (see reference [4]);
(v) OAuth (see reference [5]);
(vi) OpenID (see reference [6]);
(vii) Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO, see reference [7]); and
(viii) Secure Remote Password protocol (SRP, see reference [8]);
(ix) Transport Layer Security (TLS) client-authenticated handshake (see reference [9]),
and so forth. Items (i) to (ix) above include trademarks.
Almost all contemporary protection methods that are based upon passwords suffer from known technical weaknesses. However, on account of various information leaks, data security breaches and disclosures that have targeted large data service providers, information security technology has advanced considerably in recent years. These breaches, leaks and disclosures have, in practice, forced information security experts to devise new types of security methods.
It is generally known that using passwords is necessary, and yet it causes various problems in modern society that depends upon information systems. Regardless of a type of information system or of a type of data security configuration that is employed, it is users of such information systems that eventually cause vulnerabilities in data security and information security, either because of their ignorance or because of their indifference. Almost daily, reports are published about broken user accounts, leaked passwords, about various types of malware which are used to extort money for return of personal private information stolen from a broken user account, and so forth.
Presently known user authentication technology is based upon transmitting a user identification and/or password to a server of a service provider or to a terminal device, using an encrypted data communication connection, wherein the security is principally based on certificates provided by trusted parties. It is contemporarily generally known that an encrypted connection does not guarantee that vital sign-in (i.e., signing-in) information of users is not accessible, in an unencrypted state, to malicious unauthorized parties; merely just one weak link in a chain of communication is potentially sufficient to leak the vital sign-in information to the malicious unauthorized parties.
Despite measures taken to secure data, it is generally known that the Internet® (operating pursuant to Internet Protocol (IP), such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), but not limited thereto) as a global information network makes it possible not only for superpowers, but also for many multinational companies, to spy on people and to track their activity, because each time that contemporary information systems are used, digital meta traces are left behind. These digital meta traces or passive digital footprints can always, with high probability, be tracked and connected with an individual unique user who is possibly, for example, a legal person. The tracking can be performed even retroactively, given enough computing resources.
It is also generally well-known that current national legislation cannot distinctly have an effect on multinational software arrangements that centralize their associated authorization, namely also their associated sign-in (i.e., signing-in) processes, onto servers of producers, that usually reside in a territory of a foreign nation and the legislation of which may thus be in conflict with the legislation of the nation in which the service is actually being used. As a result, the Internet has become a battlefield in a new type of war, where several nations attempt to protect their citizens by passing new laws that would prevent their citizens from using services provided by an infrastructure (namely, network nodes and servers) that is controlled by foreign nations, ostensibly for reasons of national security. In other words, a variance of national laws in relation to international agreements can potentially create security uncertainties, for example in a situation where a given data server is centralized in one nation and there are no unified rules in other nations with which the given data server interacts.
Moreover, it is a contemporary problem that personal accounts are broken into, or personally sensitive information is stolen. However, there are not often simple and distinct contemporary approaches to address such problems. Moreover, for many users, it is often almost impossible to adapt to using complex tools and procedures, such as encrypting e-mails by using Pretty Good Privacy (PGP®) model or similar types of encryption, both in the abstract sense and regarding the technical procedures. Therefore, it is desirable in practice that it should never be the main responsibility of a given user to protect his or her information against malware and unauthorized access, because contemporary users range from young children to senior citizens; such people rarely pay attention to security issues when they fulfill their various online needs, for example social media interactions and on-line shopping activities.
In a published United States patent document US 2013/152179 A1 (LEE et al.; “System and Method for User Authentication Using One-time Identification”), there is described a system for user authentication using One-Time IDentifications (OTIDs), including a client terminal configured to generate a number of OTIDs that are used in the user authentication, and to sequentially select one of the generated OTIDs to use the selected OTID as a user identification in each authentification session. Moreover, the system includes an authentication server configured to receive from the client terminal and store the generated OTIDs; when the selected OTID and a secret key are received, inquire the OTID in a database, and determine whether a secret key that is associated with the inquired OTID and stored in the database match with the received secret key to perform the user authentication.
In a published WO patent document WO 2007/117131 A1 (Trust Integration Services B.V.; “Arrangement of and Method for Secure Data Transmission”), there is described a method and system for secure data transmission between a client and a third-party computer arrangement. The method includes: a) authenticating a user of the client by a security server via a communication session; b) making available a key pair by the security server, the key pair including a public key and a private key; c) performing the secure data transmission between the client and the third-party computer arrangement while using the key pair. The key pair has a limited life time defined by: a predetermined duration in time, or a predetermined number of communication sessions, or a predetermined number of actions.
In a published United States patent document US 2008/034216 A1 (Eric Chun Wah Law (US); “Mutual Authentication and Secure Channel Establishment between Two Parties Using Consecutive One-time Passwords”), there is described a communication system and method configured for mutual authentication and secure channel establishment between two parties. A first party generates a first one-time password and sends it to a second party. The second party authenticates the first party by generating a one-time password using the same algorithm, secrets and parameters, and matches it with the received first one-time password. If the received first one-time password matches with the generated password, the second party generates a consecutive one-time password, and establishes a secure channel to the first party using the consecutive one-time password. The first party generates a consecutive one-time password and authenticates the second party by successfully communicating with the second party using the secure channel.
In a published EP patent document EP2911365 (A1) (Dejamobile (FR); “Method and System for Protecting Transactions Offered by a Plurality of Services between a Mobile Device of a User and an Acceptance Point”), there is described a method for securing a transaction of a service between a mobile device of a user and an acceptance point. The method includes creating, on a security server, at least one token for a given service and a user service, each token having a value, wherein each token is encrypted. The method further includes transmitting, by the security server, the encrypted token to the mobile device, and storing the encrypted token at the mobile device during a transaction between the mobile device and the acceptance point. The method further includes transmitting the encrypted token previously stored from the mobile device to the acceptance point. The method further includes decrypting, at the acceptance point, the encrypted token, and verifying that the decrypted token is valid for the transaction.